CVE-2026-4436
Modbus Packet Manipulation Enables Odorant Injection Tampering
Publication date: 2026-04-09
Last updated on: 2026-04-09
Assigner: ICS-CERT
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gpl_odorizers | gpl750 | * |
| horner_automation | xl4 | * |
| horner_automation | xl4_prime | * |
| horner_automation | xl7 | * |
| horner_automation | xl7_prime | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4436 is a high-severity vulnerability affecting GPL Odorizers' GPL750 devices and Horner Automation's XL4, XL4 Prime, XL7, and XL7 Prime controllers.
A low-privileged remote attacker can send Modbus packets to manipulate register values that control the odorant injection logic, causing too much or too little odorant to be injected into a gas line.
This manipulation poses significant safety risks in critical manufacturing and infrastructure sectors worldwide.
How can this vulnerability impact me? :
The vulnerability allows an attacker to alter the amount of odorant injected into gas lines, which can lead to safety hazards such as undetected gas leaks or false alarms.
This can compromise the safety of critical infrastructure and manufacturing environments, potentially causing dangerous situations for personnel and the public.
Additionally, the vulnerability has a CVSS v3.1 base score of 8.6, indicating a high impact on integrity with no impact on confidentiality or availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unauthorized Modbus packets that manipulate register values related to odorant injection logic.
CISA recommends minimizing network exposure of control system devices and isolating control networks behind firewalls to reduce attack surface.
While specific commands are not provided, network administrators should monitor Modbus traffic for unusual or unexpected register write commands targeting GPL Odorizers' GPL750 devices and Horner Automation XL Series controllers.
Using network analysis tools to capture and inspect Modbus TCP packets for suspicious activity can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating to the latest GPL750 software version and the latest firmware from Horner Automation (firmware version 15.76 for XL Series and 17.30 for XL Prime Series).
Users must clear old files from microSD cards, retaining only the LOGS folder and FIRMWARE.LIC file if a WebMI license is present, then extract the updated files to the root directory of the microSD card.
GPL Odorizers can provide preconfigured microSD cards for easier installation if users lack IT permissions.
Additional recommended practices include minimizing network exposure of control system devices, isolating control networks behind firewalls, using secure remote access methods such as VPNs (while keeping them updated), and following best practices for industrial control system cybersecurity.
Organizations should conduct impact analysis and risk assessments before deploying mitigations and report any suspected malicious activity to CISA.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.